1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
|
/*
* GCM Mode
* (C) 2013 Jack Lloyd
*
* Distributed under the terms of the Botan license
*/
#ifndef BOTAN_AEAD_GCM_H__
#define BOTAN_AEAD_GCM_H__
#include <botan/aead.h>
#include <botan/block_cipher.h>
#include <botan/stream_cipher.h>
#include <memory>
namespace Botan {
class GHASH;
/**
* GCM Mode
*/
class BOTAN_DLL GCM_Mode : public AEAD_Mode
{
public:
secure_vector<byte> start(const byte nonce[], size_t nonce_len) override;
void set_associated_data(const byte ad[], size_t ad_len) override;
std::string name() const override;
size_t update_granularity() const;
Key_Length_Specification key_spec() const override;
// GCM supports arbitrary nonce lengths
bool valid_nonce_length(size_t) const override { return true; }
size_t tag_size() const { return m_tag_size; }
void clear();
protected:
void key_schedule(const byte key[], size_t length) override;
GCM_Mode(BlockCipher* cipher, size_t tag_size);
const size_t BS = 16;
const size_t m_tag_size;
const std::string m_cipher_name;
std::unique_ptr<StreamCipher> m_ctr;
std::unique_ptr<GHASH> m_ghash;
};
/**
* GCM Encryption
*/
class BOTAN_DLL GCM_Encryption : public GCM_Mode
{
public:
/**
* @param cipher the 128 bit block cipher to use
* @param tag_size is how big the auth tag will be
*/
GCM_Encryption(BlockCipher* cipher, size_t tag_size = 16) :
GCM_Mode(cipher, tag_size) {}
size_t output_length(size_t input_length) const override
{ return input_length + tag_size(); }
size_t minimum_final_size() const override { return 0; }
void update(secure_vector<byte>& blocks, size_t offset = 0) override;
void finish(secure_vector<byte>& final_block, size_t offset = 0) override;
};
/**
* GCM Decryption
*/
class BOTAN_DLL GCM_Decryption : public GCM_Mode
{
public:
/**
* @param cipher the 128 bit block cipher to use
* @param tag_size is how big the auth tag will be
*/
GCM_Decryption(BlockCipher* cipher, size_t tag_size = 16) :
GCM_Mode(cipher, tag_size) {}
size_t output_length(size_t input_length) const override
{
BOTAN_ASSERT(input_length > tag_size(), "Sufficient input");
return input_length - tag_size();
}
size_t minimum_final_size() const override { return tag_size(); }
void update(secure_vector<byte>& blocks, size_t offset = 0) override;
void finish(secure_vector<byte>& final_block, size_t offset = 0) override;
};
/**
* GCM's GHASH
* Maybe a Transform?
*/
class BOTAN_DLL GHASH : public SymmetricAlgorithm
{
public:
void set_associated_data(const byte ad[], size_t ad_len);
secure_vector<byte> nonce_hash(const byte nonce[], size_t len);
void start(const byte nonce[], size_t len);
/*
* Assumes input len is multiple of 16
*/
void update(const byte in[], size_t len);
secure_vector<byte> final();
Key_Length_Specification key_spec() const { return Key_Length_Specification(16); }
void clear();
std::string name() const { return "GHASH"; }
private:
void key_schedule(const byte key[], size_t key_len) override;
void gcm_multiply(secure_vector<byte>& x) const;
void ghash_update(secure_vector<byte>& x,
const byte input[], size_t input_len);
void add_final_block(secure_vector<byte>& x,
size_t ad_len, size_t pt_len);
secure_vector<byte> m_H;
secure_vector<byte> m_H_ad;
secure_vector<byte> m_nonce;
secure_vector<byte> m_ghash;
size_t m_ad_len = 0, m_text_len = 0;
};
}
#endif
|